Organizations are inundated with the latest security solutions and “expert” opinions on what they should be doing. In many cases, it might make more sense to take a step back and decide on a framework to map your current security posture against and get back to basics in developing solid cyber hygiene. One of these frameworks would be the Critical Security Controls (CSC) published and maintained by the Center for Internet Security (CIS). The very first control defined is to develop an inventory of authorized and unauthorized devices on the network.

The rest of this discussion centers around embracing CSC 1 and how that can help you determine what in your organization needs to be protected and how to do it. The description of CSC 1 is as follows: Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. There are a lot of areas covered in this control as it should include asset inventory as well as identifying and understanding the role of all devices throughout the enterprise.

Let’s take a closer look at the six sub-controls defined within this area.

Sub-control 1.1 specifies the use of an automated asset discovery tool to help build the initial inventory of systems for both the public and private networks. Both active and passive tools should be used to help provide as much visibility as possible in building out the list of hosts. Passive tools would include packet scanners and other tools that will help identify hosts and their functions by analyzing their traffic. DHCP requests provide information about the device requesting an IP address, and are therefore useful in detecting unknown systems connected to the network and providing some basic endpoint information.

Sub-control 1.2 recommends logging these requests and using the information for investigation of these devices. This information is usually forwarded to Network Access Control (NAC) solutions to help notify the solution about new devices on the network and start the profiling process. Once the inventory is built, it will quickly become outdated unless all new equipment acquisitions are automatically updated so that the approved devices can be connected to the network.

Sub-control 1.3 requires that an automated system or methodology is deployed to maintain the inventory integrity.

Sub-control 1.4 dictates the type of information that is mandatory to collect within this inventory. This would include the following information: network address, machine name, purpose of each system, asset owner responsible for the device, and the department of the device. This information should be tracked for all devices with an IP address on the network including desktops, laptops, network equipment, printers, storage, VOIP phones, virtual addresses, and any other device. These devices should also be identified as company owned or personal devices so that proper policies can be applied. Network level authentication via 802.1x is required by:

Sub-control 1.5, to help control which devices can be connected to the network. The 802.1x should be tied to inventory to determine if a device is authorized or not to be on the network. Because 802.1x is not feasible for all organizations, the principle can still be enforced with various Network Access Control solutions including systems that would rely on Active Directory (AD) or any other database that would track valid users and systems. Policies can be created to permit authorized AD users using authorized domain computers, appropriate access into the network, otherwise limited or no access can be enforced.

The last sub-control is 1.6, which suggests that client certificates should be installed on all corporate devices and used to provide access to the private network. The reason that this is an optional control as opposed to a foundational control like the others, is that implementing and maintaining a certificate system for endpoints would be difficult for many organizations to embrace and utilize because of the added complexity and administrative requirements. As long as the endpoints can all be identified and defined by the previous sub-controls, certificates would not be necessary.

A properly designed and implemented Network Access Control system can address all of the requirements of CSC1 and also parts of some of the other Critical Security Controls. Knowing exactly what should be on your network will help you identify and control access to the appropriate resources through the enterprise.

ePlus provides assessments that help gauge the effectiveness of your current security program, and help you better protect your organization. We create custom, integrated security programs through a unique holistic approach centered on culture and technology. For more information about how you can implement the recommendations of the CSC1 sub-controls, visit https://www.cisecurity.org/controls/ or contact us at eplus-security@eplus.com. You can also contact your ePlus Account Executive directly.